Cisco Wireless :: 5508 - Client Authentication Fails For Wrong EAP-type

Jan 16, 2012

I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?

View 8 Replies


Cisco Wireless :: WLC 5508 - Lightweight AP Client Getting Wrong IP Address From DHCP Server

Mar 29, 2012

I have 2 units Cisco WLC 5508 running software version 7.0.220 with 70 over units Cisco AP 1262N and 1242AG. Some of wireless clients having problem to get the correct IP address from the DHCP server. There are 2 units of Microsoft DHCP. Both DHCP server ip have been configured on the Interface at the WLC. The core switch also being configured with ip helper. I've attached the debug output of one of the wireless client during the problem.

View 12 Replies View Related

Cisco Wireless :: Web Authentication On WLC 5508 Fails To Redirect / When Enter URL

Oct 19, 2011

I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.

View 6 Replies View Related

Cisco Wireless :: 5508 WLC Excessive Client Authentication Association Failure

Jan 29, 2013

I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means.

View 9 Replies View Related

Cisco Wireless :: New 5508 WLC And 3602i Access Points / Client De-authentication

Jan 25, 2013

Installed a new 5508 WLC last week, and finished bringing 68 new 3602i access points online in our College Dorms. We are seeing a lot of "Client De-authenticated" errors "Reason: Unspecified Reason: Code 1. Years ago I asked about error code 1. The reply from Cisco was: "The programers put the code in. It basically means we don't know what the problem is."Got a call from one of the dorms stating that students were getting knocked off the network while going to sites. If a student is wired, network is solid.Walked the dorm in question and was getting full bars of signals at all times, and was able to stream a movie from my Ultraviolet account without any break or slowdown as I moved from access point to access point. So.. my device, an iPad, was fully mobile and did not experience any disconnects.Did observe one student using a MacBook Pro. This student was constantly loosing connection to the access point. Checked the controller for the MAC of the student's computer. I did find deauthentication errors. BUT... this student's error was the computer was receiving an IP address from the DHCP that was already in use. At the computer the error message was a timeout issue.I am just learning the ropes on the 5508. Have used 3 4404s for the past six years.

View 2 Replies View Related

Cisco :: WLC 5508 How To Enhance Client Security Authentication

Dec 20, 2012

Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN." 

View 7 Replies View Related

Cisco Wireless :: 5508 APs Joining Wrong Controller

Nov 5, 2012

We have 3 5508 WLCs  (A, B, & C) and several LAPs (1140, 3500, 3600). The APs learn the controllers IP addresses through DHCP Option 43.  When we setup a new site we put the IP address of the controller we want the AP to join first.  Lately, I've noticed that regardless of which WLC IP I put first when I setup Option 43 the LAPs are always joining a particular controller.

View 6 Replies View Related

Cisco Wireless :: WLC 5508 Request Received On Wrong Vlan

May 31, 2012

We have two WLC's 5508. Following are its interfaces & details:mgmt on wlc1 & .252 on wlc2 access p on wlc1 & .252 on wlc2 there is no AP manager interface seen on both wlc's nor configured. both wlc1 & wlc2 are connected each to two switch ports, configured as normal trunk link each.LAG is enabled on both WLC's.

View 2 Replies View Related

Linksys Wireless Router :: WRT120N Authentication Type Open-greyed Out

Oct 24, 2011

I just purchased a Linksys WRT120N and have a couple of issues, one of them may force me to return it to the point of purchase.Once WPA2 is enabled, on the Wireless-Advanced Wireless Settings screen,, the Authentication Type (which was greyed out by default) changed from Auto to Open and remained greyed out.  I want to change this back to Auto.The other issue is that on the Status screen, the IP addresses of the domain name servers (DNS) are incorrect.  This screen displays the DNS server addresses sent by the ISP and are not displaying the DNS addresses that are hard coded on the main Setup screen - although if I run nslookup, the DNS server address displayed in the console window, is the one that is displayed on the Setup screen.
The more important of the two is the Authentication Type being Open and greyed out.  If this is something that cannot be changed, then I will be forced to return this for credit as it was the last unit on the shelf. I had reset the router back to the factory defaults and reconfigured it again, but this did not resolve either issue.  I'm tempted to think that both issues may be the result of defective firmware, which shows version 1.0.06.

View 8 Replies View Related

Cisco :: 1140 - Radio Type Of Wireless Client B / G Or N

Nov 28, 2011

We are using the CISCO-DOT11-ASSOCIATION-MIB in a Cisco Air AP 1140 device with release 12/4(21a)JA1 to find out the radio type of wireless client (B/G or N).  The clients in question are of type Wireless N and  Wireless B/G.  We are querying cDot11ClientDevType and cDot11ClientRadioType but the relation between the returned values and client/radio type is not clear:

2 devices returned: cDot11ClientDevType = 102 ==> pc4500Client(102) - client with a 4500 radio and ClientRadioType=2==> ccxClient(2) - CCX- compatible radio1 device returned: cDot11ClientDevType = 1==> unknown (1) – unknown and ClientRadioType= 1==> unknown(1) 

Questions: On a Cisco Air AP 1140 device

What OID needs to be polled to find if the client's radio type?What value is returned by this OID  if the radio type is B/G?What value is returned by this OID  if the radio type is N? 

View 1 Replies View Related

Cisco Wireless :: Client Type In 5500 Series WLAN Controller

Jul 5, 2011

The Release Notes for of WLC 5500 has a table which title is "Client Type", and it shows wireless adapters. My question is,
what kind of customer means? Wireless clients or clients for an specific application? If it was the first option, does it mean tha just this adapters could connect to my wireless network?

View 1 Replies View Related

Linksys Wireless Router :: DDNS Authentication Fails With E2000

Nov 13, 2010

Just purchased an E2000 (Firmware version 1.0.03) to use with DDNS. Much to my surprise there seems to be a problem with saving the password at the configuration screen. [code] With the above settings entered and the Update button pressed favorable results are obtained; the router reports that updates okay. However once the "Save Settings" button is pressed an update fails with the error "Authorization failure bad ID or password".Is anyone else experiencing this issue? Is the password field limited to certain characters?

View 9 Replies View Related

Cisco :: Configure ACS 4.2 To Only Allow Certain EAP-type Of Authentication Per SSID?

Mar 13, 2012

Is there away to configure ACS 4.2 to only allow certain EAP-type of authentication per SSID?  For example:  SSIDA - only allows EAP-TLS and SSIDB - only allows EAP-PEAP on the same ACS server?

View 1 Replies View Related

Cisco Wireless :: SSH To WLC 5508 Service Port Fails

Apr 30, 2013

We are trying to set up Out of band connection for Cisco 5508 WLC and when we try to ssh to the Service port from a remote switch, this fails. SSH or Telnet to the Management IP address works fine. The Service port and Managment IP are in the same IP scope but different subnet..i.e 172.16.10 for Management and 172.16.99 for Service port. Also, as this set up will be HA (AP SSO) in future, for which DHCP is recommended for the service ports, just wondering if SSh will be possible.

View 7 Replies View Related

Cisco Wireless :: WLC 5508 - Link Test Fails?

Jan 10, 2013

I have a WLC5508 working fine right now, using IOS 7.3
When I try to do a Link test on some users to check signal quality, noise, etc... I received the error message below

View 6 Replies View Related

Cisco :: WLC 5508 AP Group - Clients Using Wrong VLAN

Feb 14, 2011

I have a network setup as live-ssid.  It is using the Interface for VLAN 14.  All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14.  This is working fine.
I created a new AP Group called 3rd Floor.  This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50.  I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14.  I checked and all the clients are connected to the APs on the 3rd Floor.  Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't.  I've manually reboot the APs on the 3rd floor to see if that would fix it.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 EAP-TLS Re-authentication Fails

Jan 21, 2013

I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC and Cisco ACS It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".

View 2 Replies View Related

Cisco VPN :: C5510 Windows 7 VPN Client 5.0.07 0410 Wrong Default Gateway

Jan 21, 2011

This is terminating on an ASA c5510 sec+ running 8.3(2)  Client devices running XP with the same VPN client get an address from the ASA pool e.g. with no default gateway. Users are able to connect without a problem.  Windows 7 (32bit) clients with this same VPN client get this address but get a default gateway and are unable to connect for obvious reasons.

View 7 Replies View Related

Cisco VPN :: ASA 5510 / AnyConnect Secure Mobility Client Selecting Wrong

Feb 27, 2012

Here is the pertinent information first...
Windows 7
Cisco AnyConnect SecureMobility Client 3.0.4235
Cisco ASA 5510 firewall 8.2
The problem is.....When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message.  If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem. 
Unfortunately, the certificate it selects has nothing to do with my organization  ( in fact, the certificate is for "*"  - see images).  To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.
I have tried removing, rebooting, and re-installing - it does no good.How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization? 

View 7 Replies View Related

Cisco :: PIX515 - VPN Client Get Wrong Default Gateway In Windows 7 64bits

Sep 17, 2011

After we change the firewal from PIX515E to Fortigate311B, one notebook which installed Cisco PN client in WIN7 64bits can not access VPN because the default gateway is not correct. For example the IP get from Ip pool is but the default gateway IP is ?

View 2 Replies View Related

Linksys Wireless Router :: WRT310N V1 DHCP Client Fails To Renew Lease

Apr 28, 2013

I have a Linksys WRT310N v1 with firmware v1.0.10 build 002Jul 19, 2010 My router fails to renew it's DHCP lease from my cable provider, causing internet access to drop. I can still access my cable modem at, but I must do a "IP Address Release" then "IP Address Renew" to get back internet access. The router works fine otherwise.

View 6 Replies View Related

D-Link DIR-655 :: DHCP Assign Wrong IP Address To Client Laptops (2)

Sep 3, 2009

DHCP enabled with default settings. Dynamic IP range from - shows laptop with however when I check the IP on laptop I have and both laptops are connected on my SSID with 90% signal strenght.

View 4 Replies View Related

Cisco Firewall :: Remote VPN User Client Type On ASA 8.3?

Jun 21, 2011

It seemed that show vpn-sessiondb ra-ikev1-ipsec will not provide the client type of the remote vpn user as show vpn-sessiondb remote did before.
Is there a way to find it out on ASA running 8.3?

View 1 Replies View Related

Cisco :: ACS 5.2 Machine Authentication Fails Every 30 Days

Jan 9, 2012

Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

View 16 Replies View Related

Cisco VPN :: ASA 8.2(5) / AnyConnect Fails At First Attempt (certificate Authentication)

Jan 25, 2012

I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is  to force user to connect from registered machines only (winXP & win7 x32 and  x64). To do this, I used machine certificates issued by own CA. Certificate  is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA  validating machine certificate, then user is prompted for username/password  and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The  appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
Type        : Error
Source      : acvpnagent 
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150

Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.

View 3 Replies View Related

Cisco Security :: ACS 5.1 802.1x Authentication Fails On LAN When WLAN Connected

Aug 23, 2012

I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.

View 2 Replies View Related

Cisco :: ASA5500 - Wireless Client Authentication Using ISE

Jul 24, 2012

I am designing wireless controller solution for one of our customer network with Cisco 5500 series controller, wireless client authentication part.
1.       There are 25 departments around the campus, each will be given one or two access points.
2.       One Cisco AIR-CT5508-50-K9 Controller shall be used.
3.       Single SSID/ VLAN shall be used for entire campus.
4.       Wireless Authentication credentials used by one department shouldn’t work for other department

View 7 Replies View Related

Cisco :: 5508 - AD Authentication For Wireless Networks

Mar 12, 2013

We've recently boughten new equipment to upgrade/replace some of our aging wireless hardware. We're moving to a pair of 5508 controllers and changing over to ACS 5.4. Currently we're just doing MAC filtering with ACS 4.2 and local users. I'd like to move most of our SSIDs to some type of AD authentication. Are there any all encompassing guides that layout the design behind that? So far I haven't had much luck finding one!
Also, would it be possible to maintain some of the local ACS users/MAC filtering? We have some mechanical equipment that connects to our network (separate SSID) but cannot join a domain.

View 5 Replies View Related

Cisco Wireless :: WLC 5508 - Web Authentication With Gingerbread 2.3.6?

Jan 7, 2013

I having some troubles with Web Authentication in a WLC 5508 version 7.2 to make authentication with the corporative phones, ANDROID GingerBread 2.3.6 model SAMSUNG GT-S7500L. When I try to connect to the VisitorsWirelessLAN in order to authenticate with web authentication the page never comes, in fact the phone never gets the IP. I have an iPhone and I have not problems, I have a Samsung Galaxy S2 with ICS 4.0.1 and works perfect, is only with gingerbread

View 2 Replies View Related

Cisco Wireless :: 5508 - AAA Authentication Failure

Aug 3, 2011

I've set up several local network users (Security > Local Net Users) on the WLC (5508 running Whenever I try to connect with one of these user accounts (I'm testing this out for now), the attempt is unsuccessful and I see an "AAA Authentication Failure for UserName: xxxxxxx User Type: WLAN USER" in the Trap Log. I thought that after trying to authenticate through a RADIUS server, the local user database would be polled and then a user account in that database would be able to authenticate.

View 1 Replies View Related

Cisco Wireless :: 5508 / How To Configure Web Authentication

Jun 9, 2012

Can we configure the wireless controller 5508 to authenticate the clients using both of MAC address Filtering (layer 2 security) and Web authentication (layer 3 security). and what is the difference between (Web policy --> authentication) and (Web policy --> on MAC filter failure)

View 6 Replies View Related

Cisco :: Enable Password Fails In AAA Authentication Method List?

Jul 15, 2011

I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:

1d02h: RADIUS: Marking server,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10


View 14 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - LDAP Authentication Works / Authorization Fails

Oct 24, 2011

I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA.  In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down.  I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain.  As a condition, it shows up as DomainName:External Groups.  I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store.  I adjusted the Identity Sequence and now I receive a the following error:
15039:  Selected Authorization Profile is Deny Access.  So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved